Laravel Validaton: All Your Base Are Belong To Us

We all use Laravels Validation feature to ensure we have the required input and it matches some sort of rule. The available rules cover plenty of situations but they fail to cover one of the most important rules, input Sanitization.

But wait, there’s more

Since you only required the name and made sure it was 255 chars or less the “user” was allowed to input anything they wanted, in this case a pretty ‘hello world’ alert loop that crashes Firefox.

Buy now and we’ll double your order

Double up your dirty database with any type of unescaped output of the users name and let the magic begin.

If as in magic you mean things users will exploit.

The User Auth example escapes all of the strings with {{ }} before displaying to the user so there wont be much magic going on with that example.

If you defined a variable, even escaped, within a <script> or html <=””> tag your ticket to the magic show is valid, so watch out. Even escaped outputs can trigger XSS and other attacks when used improperly.

It’s 2016, you probably have an API

Did you do any validation on the output from the API? Most APIs for Laravel allow you to transform your data, if you didn’t sanitize your output in the transformation then what the user provided is sent to your frontend.

Did you sanitize the output in your frontend? Well if you didn’t, congrats, your entrance to the magic show has been granted. Be prepared to be amused.

Hurry, while supplies last

You can easily close the door on exploits and dirty databases by properly validating and sanitizing your users input.

Whitelisting, mmmm.

If you validate user input against a whitelist you ensure you get only the data you want. A simple alpha_num or regexp can often do the trick.

This works great when you need to allow HTML or need a very specific type of value.

It’s not very practical for all of your fields.

For those generic fields that can accept almost anything (like utf8 and unicode) another solution may work better for you. Sanitizing.

Sanitizing the users input will help prevent the user from inserting possible exploits and mucking up your database.

It’s not as fool proof as a whitelist but it is the most recommended method I’ve seen over the years.

Many people sanitize their inputs with htmlspecialchars, some like strip_tags but I prefer HTMLPurifier.

Note: ‘mews/purifier’ does allow some HTML in the inputs by default, you can adjust this in its config.

Your order has shipped

Unbox it and start putting it together. The inputs are yours so you’ll need to decide what method to choose.